need help, will pay

In article , Michael Williams snipped-for-privacy@hotmail.com wrote: :I have a Pix 501 with 3DES, 10 Users license. :I have a DSL connection to the internet, using PPPoE. Speed is 1.5 up/down. :I have a small Windows 2003 Server with AD, Exchange, SQL, IIS, FTP, etc.

:I want to have a VPN set up with security formost in mind. I have access to :the Cisco VPN client. My main goals, in the order:

:1) Security :2) Remote users can fully act like they are inside my home when connected :via VPN.

:I need the VPN part configured

The Pix Device Manager (PDM) should be able to set this up for you with little difficulty.

In article , Walter Roberson wrote: |In article , |Michael Williams snipped-for-privacy@hotmail.com wrote: |:I have a Pix 501 with 3DES, 10 Users license.

|:I need the VPN part configured

|The Pix Device Manager (PDM) should be able to set this up for you

Log in to PDM -- https:// to the IP of the PIX. Go through the login procedure. Wait for it to load your configuration.

Then, look right at the top at the menu bar. Choose the Wizards menu, and the VPN Wizard from there. When the VPN Wizard comes up, click the 'Remote Access VPN' radio box, leave the interface as outside, then click Next. If you are intending to have the others connect using the Cisco VPN client, leave the radio box at the first entry (release 3 or later) and Next. Fill in an arbitrary group name -- this group name will be needed by the VPN client to log in, so make it easy to remember. Fill in a Group Password, confirm it, Next. Leave "Enable Extended Client Authentication" checked, but in the AAA Server Group dropbox, go to LOCAL instead of RADIUS or TACACS; then Next.

Create some users on the next screen... you should probably change their privilege level to "Monitor Only (3)" in the dropbox. When you have enough users created, Next.

Put in an address pool name, and put in start and end addresses. These addresses *must* be in a range different than your inside IPs -- it is crucial that the inside IPs think of the IPs as being "outside". It is fine, though, for these IPs to be in a RFC 1918 private range. Next.

Fill in DNS server, WINS server, domain name. In order for the users to see your network "just like" they were inside, you MUST have a WINS server... [unless, that is, your users are all going to use LMHOSTS to resolve everything in your network {i.e., not practical.}] Next.

Choose an encryption such as 3DES SHA Group 2, or AES-128 SHA Group 5. Next.

Choose an encryption and authentication on this new window. Trust me, they are used for different purposes than the previous window... but it's probably easiest to use whatever you used on the previous window. Next.

On the Address Translation Exemption page, in the IP address box, fill in your inside IP network (e.g., 192.168.49.0) and choose the appropriate Mask, and then click >> so it shows up on the right-hand side. Then you -might- want to Enable Split Tunneling... or not. Split Tunneling is more convenient for your users, but less safe for you.

Now click Finish and wait for the PDM to make the appropriate changes.

After that, you may wish to click on the Save icon at the top.